DNS rewrite on a Palo Alto Networks firewall

Scenarios in which DNS doctoring applies.

Scenario 1: 
External DNS Server is returning the public IP of an application server to a client who is also sitting behind the same firewall.

 
Traffic Flow in this case:

1. In the above case, DNS server 4.2.2.2 replies to the DNS query of the client with the public IP of the Web server, for example, 198.51.100.3.
2. The client now accesses the web server on the public IP and forwards that request to the Firewall. 
3. The firewall tries to do route lookup for 198.51.100.3 IP and finds a route via Eth1/1 (Untrust Zone) pointing to the ISP and sends the packet out.

A firewall capable of DNS rewriting will translate the IP address in the DNS response to the private IP address of the server since it has NAT mapping for the same, which enables the client to directly access the Server through LAN to LAN routing/ policies.

Workarounds

1. Configure the client to use the firewall as DNS proxy, and on Firewall configure a static entry for www.example.com as 10.1.1.3. For all other lookups, the firewall can use 4.2.2.2 as the DNS server. How to Configure DNS Proxy on a Palo Alto Networks Firewall   OR
2. Use U-Turn NAT, thereby forwarding the traffic from the client to the Server: How to Configure U-Turn NAT

Scenario 2:
Internal DNS server is returning a private IP address of application server to both Internal and external users.

The external user will not be able to access the server since it will get the private IP address of the Web Server.  

Workarounds

1. Add a secondary DNS server (preferably in a DMZ zone) to serve external clients with a public IP address to the server.
2. Change the DNS Server’s A record to use the public IP of the Web Server, and then use the U-Turn NAT solution as in Case 1 for the internal Client to be able to access the Web Server.
3. Some DNS servers, like bind9, can serve different records depending on the source IP of the requestor